Security Engineer (Security Team)

About our company

Semrush is a unified online platform that allows marketing professionals to create campaigns in all available channels, manage them, measure results and improve the online visibility of their products and services.

We've been developing our product for 13 years and in that time we've won many different awards: Top 100 Software Products from G2, Global and US Search Awards 2021, Great Place to Work Certification and Deloitte Technology Fast 500.

In March 2021, Semrush went public, and we listed our stock on the New York Stock Exchange (NYSE) under the SEMR ticker.

We now have 10,000,000+ customers in America, Europe, Asia and Australia, and more than 1,000 people around the world working on our service.

About our team

You can get to know the team better at one of the interviews, but some brief information about your future colleagues will be useful now.

The Semrush Security Team comprises:

• Application Security Team.
• Infrastructure Security Team.
• Common Flow & Compliance Team.

As Semrush continues to grow, so does our necessity to simplify and automate workflows to meet the needs of our internal teams, partners, and external users. The Semrush Security Team is a strong team, and the famous security researcher Andrey Leonov and other talented guys are with us. We speak at conferences, hold internal and external events (CTF, meetups), do research work, and train employees on how to find vulnerabilities and defend against them.

The group currently consists of three specialists, and we are engaged in the provisioning and development of infrastructure security in the company. Our team has big plans and ambitions. We try to make all decisions jointly. We are missing a colleague who likes to solve complex tasks, who is ready to explore and create new things, who is not afraid to look at the backlog sometimes. We have several projects underway.

• Work with the team to develop security practices in GCP and k8s (focus on Policy as Code).
• Participate in architecture reviews and audits of new services in terms of infrastructure security.
• Integrate security controls with CI/CD.
• Develop and help dev teams implement secure secret storage practices (Vault / GCP secret manager).
• Participate in the development of an existing SIEM security incident detection and response system based on Splunk ES.

We also have many plans that have yet to be discussed and implemented. There is an opportunity to offer your vision of how we can improve infrastructure security and what opportunities there are for automation.

What challenges you will have to face?

We have a very flexible approach, and we always try to find a compromise between the necessary tasks and the interesting ones. We try to set aside a little more time to be able to work through the task well, document everything important, and, if necessary, conduct research.

There are no clear frameworks in the group, all initiatives / improvements / development of systems are discussed, and a roadmap with success criteria is formed. We try not to limit ourselves in the scopes of decisions we choose, we like reasoned arguments, and we always help each other.

Responsibilities

• Developing various kinds of security policies and regulations. For example, policy for adding external accounts, access control policy, and more.
• Keeping documentation up to date.
• Planning and conducting training for company employees. Increasing security awareness and acknowledgement — advising colleagues on security issues in their daily work.
• Monitoring security processes within the company.
• Implementing security practices in daily work.
• Participating in improving processes within and outside the team.
• Developing and implementing tools and services to ensure company security.

Requirements

We think these types of experience and competencies will help our future colleagues join the team.

• Excellent communication skills.
• Experience in drafting technical documentation.
• At least one year of experience in the information security field.
• Knowledge of English at Upper-Intermediate or higher level.
• You understand the difference between SAML and SSO.
• You know SPF, DKIM, and DMARC email authentication methods and how to properly configure email domain security policies.
• Experience with antivirus or EDR solutions.
• Experience with MDM solutions.
• Experience conducting security awareness.

They say there are no perfect candidates, but it might as well be you, if you have:

• You have experience in configuring systems according to security standards.
• Skills in writing simple scripts in Bash or Python are desirable.
• Experience in writing RegExp will be a plus.
• Experience with SIEM systems will be great.
• Experience in working with IdM or IdP systems is also desirable.
• Experience in setting up or administering Google Workspace or Okta will be a big advantage.

We offer

• License for Burp Pro, Metasploit Pro and other hacking tools, as well as help from friendly colleagues.
• Access to online platforms HTB.
• Remote work. We are used to this format of cooperation, but we always have the opportunity to organize business trips for team members from different cities and get together (if desired and agreed) in our cozy office.
• Flexible working day start that would suit a night owl and an early bird alike. You can start between 9:00 am and 12:00 pm.
• Stock Purchase Program (ESPP).
• Agile approach to work (we’ll gladly teach you).
• Online English classes.
• Training / online courses and workshops / conferences / books to improve your hard- and soft skills.
• Awesome parties, team building, and corporate events in different formats — both online and offline, depending on the current global situation. We can have fun in any case.
• Development teams meet regularly at technical and product demos. We're all for sharing knowledge.

Hiring process

• At Semrush, we take a serious and comprehensive approach to hiring new people. We welcome those who are professionals in their field and passionate about their work to join our team.
• A "five-minute interview" or "get a job in three clicks" approach is not the way we work.
• During the interview, we ask candidates to talk about themselves and their background in detail. We try to discover the most important aspects about the way someone works and their personality before a job offer is made.

Semrush is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees. We do not discriminate based on race, religion, creed, color, national origin, sex, pregnancy, sexual orientation, gender identity, gender expression, age, ancestry, physical or mental disability, or medical condition, including medical characteristics, genetic identity, marital status, military service, or any other classification protected by applicable local, state or federal laws. All employment decisions are based on business needs, job requirements, merit, and individual qualifications.